|
@@ -0,0 +1,132 @@
|
|
1
|
+---
|
|
2
|
+
|
|
3
|
+# Sets up a series of containers to automatically provision SSL certificates
|
|
4
|
+# and configure nginx for reverse proxying. Containers that should be proxied
|
|
5
|
+# need to be labelled with the following:
|
|
6
|
+#
|
|
7
|
+# com.chameth.vhost="main.domain.com,alternate.domain.com,alt2.com,..."
|
|
8
|
+# com.chameth.proxy=80
|
|
9
|
+# com.chameth.proxy.protocol=http [optional, defaults to http]
|
|
10
|
+#
|
|
11
|
+# To prove ownership of domains to Let's Encrypt, we add a DNS entry when
|
|
12
|
+# required. You will need to configure one of the letsencrypt-* services
|
|
13
|
+# below to make these changes.
|
|
14
|
+
|
|
15
|
+version: '2'
|
|
16
|
+
|
|
17
|
+services:
|
|
18
|
+
|
|
19
|
+ # etcd is a key-value server. We use it to store meta-data about docker
|
|
20
|
+ # containers which is then read by the service containers below.
|
|
21
|
+ #
|
|
22
|
+ # etcd can be distributed and accessed remotely, but this config is for
|
|
23
|
+ # a single node instance.
|
|
24
|
+ etcd:
|
|
25
|
+ image: quay.io/coreos/etcd:v2.3.3
|
|
26
|
+ command: >-
|
|
27
|
+ --name etcd0
|
|
28
|
+ --initial-cluster etcd0=http://127.0.0.1:2380
|
|
29
|
+ --initial-advertise-peer-urls http://127.0.0.1:2380
|
|
30
|
+ --initial-cluster-state new
|
|
31
|
+ --initial-cluster-token etcd-cluster-1
|
|
32
|
+ --bind-addr 0.0.0.0:2379
|
|
33
|
+ networks:
|
|
34
|
+ - etcd-services
|
|
35
|
+
|
|
36
|
+ # service-reporter interacts with docker (which is why it needs the
|
|
37
|
+ # docker.sock mounted) to get a list of current containers, and
|
|
38
|
+ # monitor when containers are added or removed. It keeps the information
|
|
39
|
+ # in etcd up-to-date.
|
|
40
|
+ reporter:
|
|
41
|
+ image: csmith/service-reporter:latest
|
|
42
|
+ links:
|
|
43
|
+ - etcd:etcd
|
|
44
|
+ volumes:
|
|
45
|
+ - /var/run/docker.sock:/var/run/docker.sock
|
|
46
|
+ networks:
|
|
47
|
+ - etcd-services
|
|
48
|
+ depends_on:
|
|
49
|
+ - etcd
|
|
50
|
+
|
|
51
|
+ # service-letsencrypt reads a list of vhosts from container labels
|
|
52
|
+ # (via etcd), and prepares a domains.txt file to send on to one of
|
|
53
|
+ # the letsencrypt-* containers below.
|
|
54
|
+ letsencrypt-updater:
|
|
55
|
+ image: csmith/service-letsencrypt:latest
|
|
56
|
+ volumes:
|
|
57
|
+ - letsencrypt-data:/letsencrypt
|
|
58
|
+ networks:
|
|
59
|
+ - etcd-services
|
|
60
|
+ depends_on:
|
|
61
|
+ - etcd
|
|
62
|
+
|
|
63
|
+ # letsencrypt-lexicon obtains Let's Encrypt certificates by modifying
|
|
64
|
+ # DNS records. It supports several major cloud DNS providers. You
|
|
65
|
+ # need to set the provider and auth tokens below.
|
|
66
|
+ letsencrypt-lexicon:
|
|
67
|
+ image: csmith/letsencrypt-lexicon:latest
|
|
68
|
+ volumes:
|
|
69
|
+ - letsencrypt-data:/letsencrypt
|
|
70
|
+ environment:
|
|
71
|
+ - STAGING=yes
|
|
72
|
+ - EMAIL=your@email.addr
|
|
73
|
+ - PROVIDER=cloudflare
|
|
74
|
+ - LEXICON_CLOUDFLARE_USERNAME=your@email.addr
|
|
75
|
+ - LEXICON_CLOUDFLARE_TOKEN=1234567890123456789012345678901234567890
|
|
76
|
+
|
|
77
|
+ # letsencrypt-generic uses a user-defined hook to update DNS entries.
|
|
78
|
+ # You need to supply your own hook, available at /dns/hook. See the
|
|
79
|
+ # letsencrypt.sh repo for details about hook arguments.
|
|
80
|
+ #letsencrypt-generic:
|
|
81
|
+ # image: csmith/letsencrypt-generic:latest
|
|
82
|
+ # volumes:
|
|
83
|
+ # - letsencrypt-data:/letsencrypt
|
|
84
|
+ # - /my/hook/script:/dns/hook
|
|
85
|
+ # environment:
|
|
86
|
+ # - STAGING=yes
|
|
87
|
+ # - EMAIL=your@email.addr
|
|
88
|
+
|
|
89
|
+ # service-nginx reads proxy information and vhosts from etcd and
|
|
90
|
+ # creates an nginx vhost config to enable SSL-terminated reverse
|
|
91
|
+ # proxying to the containers.
|
|
92
|
+ nginx-updater:
|
|
93
|
+ image: csmith/service-nginx:latest
|
|
94
|
+ volumes:
|
|
95
|
+ - nginx-config:/nginx-config
|
|
96
|
+ networks:
|
|
97
|
+ - etcd-services
|
|
98
|
+ depends_on:
|
|
99
|
+ - etcd
|
|
100
|
+
|
|
101
|
+ # Finally, nginx is what actually does the SSL termination and
|
|
102
|
+ # reverse proxying. If any containers to be proxied are on
|
|
103
|
+ # non-default networks, you'll need to specify them here and
|
|
104
|
+ # below in the top-level networks section.
|
|
105
|
+ #
|
|
106
|
+ # TODO: Automatically reload config when changed
|
|
107
|
+ # TODO: Redirect HTTP and add proper SSL options
|
|
108
|
+ nginx:
|
|
109
|
+ image: nginx:1.9
|
|
110
|
+ volumes:
|
|
111
|
+ - nginx-config:/etc/nginx/conf.d
|
|
112
|
+ - letsencrypt-data:/letsencrypt
|
|
113
|
+ ports:
|
|
114
|
+ - 80:80
|
|
115
|
+ - 443:443
|
|
116
|
+ networks:
|
|
117
|
+ - default
|
|
118
|
+ # - mynetwork
|
|
119
|
+
|
|
120
|
+volumes:
|
|
121
|
+
|
|
122
|
+ letsencrypt-data:
|
|
123
|
+
|
|
124
|
+ nginx-config:
|
|
125
|
+
|
|
126
|
+networks:
|
|
127
|
+
|
|
128
|
+ etcd-services:
|
|
129
|
+
|
|
130
|
+ # To add pre-existing networks, mark them as 'external':
|
|
131
|
+ #mynetwork:
|
|
132
|
+ # external: true
|